[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] LXC: mount a fresh /run directory for container



On 08/21/2013 05:31 PM, Daniel P. Berrange wrote:
> On Wed, Aug 21, 2013 at 04:22:29PM +0800, Gao feng wrote:
>> The unix socket file /run/systemd/private is used to
>> send reboot/shutdown messages. and since this type of
>> unix sockets are not per net namespace , they are
>> global resources. systemctl in container can use
>> this unix socket to send shutdown message to the
>> systemd-shutdownd running on host. finally the
>> host will be poweroff.
>>
>> this problem occurs when container shares the same
>> root directory with host.
>>
>> this patch umount host's /run directory and mount
>> the /run directory of container as tmpfs.
>>
>> Signed-off-by: Gao feng <gaofeng cn fujitsu com>
>> ---
>>  src/lxc/lxc_container.c | 5 +++++
>>  1 file changed, 5 insertions(+)
> 
> I don't think we should be doing this by default. IMHO this is something
> the mgmt app / admin should take care of it they want to have separate
> /run.
> 
> You may be preventing access to the systemd socket by doing this, but
> equally you can be breaking any number of other valid use cases by
> hiding the host's /run

We can't assume user know the root reason why shutdown in container will
shut down the host. they don't know it's because of container shares the
/run/ directory with host. This will confuse them and bring bad image to
them. We have lxcContainerHasReboot in libvirt, and it did tell user that
"Containerized reboot support is available", but the fact is reboot in
container will reboot host.

and the /run directory is mounted as tmpfs on host. it means the files
under /run are temporary, I don't think it's meaningful to share these
files with container.

If someone really want to share host's /run directory with container, he
should add this filesystem configuration to the domain xml.

> 
> Ultimately user namespace should prevent access to the systemd
> sockets for people wanting a secure setup without replacing /run
>

Some people may think user namespace is too strict, they may dislike
to enable user namespace, just like they may want share net namespace
with host. They have rights to start a container which shares same
user namespace with host.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]